Scott Taylor Director of Solutions Engineering
Does Your Time to First
Byte Bite?
Data Connectors Minneapolis
Copyright©©
2016,
Oracle
and/or
affiliates.AllAll
rightsreserved.
reserved.|
Copyright
2017,
Oracle
and/or
itsits
affiliates.
rights
1
Safe Harbor Statement
The following is intended to outline our general product
direction. It is intended for information purposes only, and may
not be incorporated into any contract. It is not a commitment to
deliver any material, code, or functionality, and should not be
relied upon in making purchasing decisions. The development,
release, and timing of any features or functionality described for
Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
2
Two Protocols to Run the Internet
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
3
First in the Chain
Back-end
Front-end
Content
Initial Connection
-CDN: latency optimization and vendor
diversity
- Geo: planning for geographic reach
- Reach: provider reachability alerts
- Network: global perspective metrics
- BGP: routing changes and reachability
- Providers: market performance analysis
- Prefix: monitoring and alerting BGP performance
https://example.com
DNS Lookup
- Query: always available answers
- Trace: DNS query hierarchy
- Server: authoritative or caching name servers
- DNSSEC: keychain validation
TTFB
- Geolocation: reduce latency & hops
- Failure routing: only route to live site
- Security: ensure route to server is secure
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
4
First in the Chain Matters
URL: http://community.nasdaq.com
•
Host: community.nasdaq.com
•
IP: 206.200.251.78
•
Error/Status Code: 200
•
Client Port 63174
•
Request Start: 0.443 s
•
DNS Lookup: 379 ms
• Host: tapestry.tapad.com
•
IP: 198.51.152.83
•
Error/Status Code: 200
•
Client Port 63187
•
Request Start: 3.349 s
•
DNS Lookup: 388 ms
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
5
DNS Configurations
Copyright©©
2016,
Oracle
and/or
affiliates.AllAll
rightsreserved.
reserved.|
Copyright
2017,
Oracle
and/or
itsits
affiliates.
rights
Primary Cloud DNS
APM
Users
Recursives
Primary
Example.com?
Example.com?
1.1.1.1
1.1.1.1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
7
Primary DNS
PRO’s
CON’s
Faster resolution times
Still a single point of failure
APM
No on prem expense
Use of Dyn’s NOC for DDOS mitigation
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
8
Secondary DNS
Primary/Master APM
Everyone is in Delegation
●
●
Primary = Manages the zone, gives updates
Secondary = Only receives updates from primary
Users
Recursives
Example.com?
Example.com?
Notify via AXFR/IXFR
1.1.1.1
Example.com?
1.1.1.1
*This is where that confusing secondary term comes from.
1.1.1.1
Secondary*
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
9
Secondary DNS
PRO’s
CON’s
Multiple Vendors for Resiliency
If primary goes down,
no changing records
Fastest Responder Wins
Extremely easy to set up
Use of Dyn’s NOC for DDOS mitigation
APM
Not all vendors support AXFR
and/or IXFR
Not all vendors support NOTIFY
Advanced intelligent routing schemes
cannot be replicated
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
10
Hidden Master
How it works:
The PRIMARY is on the side of the customer, outside
the delegation. The SECONDARY is Dyn which receives
updates just like a normal primary - secondary.
Users
Hidden Master
APM
Data!
Recursives
Authoritative
Example.com?
Example.com?
1.1.1.1
1.1.1.1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
11
Hidden Master
APM
PRO’s
CON’s
Works great with in-house solutions
Not the master server
Extremely easy to set up
Responsible for zone management
Dyn handles
●
Zero day attacks
●
Performance and scale
●
DDoS protection
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
12
Security
Copyright©©
2016,
Oracle
and/or
affiliates.AllAll
rightsreserved.
reserved.|
Copyright
2017,
Oracle
and/or
itsits
affiliates.
rights
Protection Stack Summary
Upstream Transit Filtration
Network layer attacks (layers 3 & 4)
> 80% of all attacks
reported are here
UDP floods, Syn attacks and ICMP
Session layer attacks (layers 5 & 6)
DNS floods and SSL floods
Application layer attack (layer 7)
GET floods, SQLi and CSRF
< 20% of all attacks
reported are here
Bandwidth & Authoritative
DNS servers absorb
Targeted application attacks
(layer 7)
Signature based Filtration methods
Market Alerts
(BGP alerting on top competitors)
Dyn DDoS Alerts
(validate layer 7 DDoS service is advertising routes)
All organizations suffer from DDoS
attacks at some point in time.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
14
DNS Amplification Attacks
DNS query messages < 50 bytes.
Traditional DNS response (such
as an DNS messages can contain
lots of other information. (For
example, anti-spam
technologies include
cryptographic material.)
These extended response
messages can be quite large—1
KB or greater
DNS is designed to send many
responses very quickly. If an
attacker issues 100,000 short
DNS queries of 50 bytes each (5
MB total). If each reply is 1 KB,
that’s an aggregate response of
100 MB.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
15
DNS Reflection Attacks
Each bot machine issues one or
more DNS queries, but uses the IP
address of the target system as its
source IP address (i.e spoofing)
The DNS service replies to the
target IP address (not the IP
address of the querying
computer).
The effect of the reflection attack
is twofold. First, the target system
is overwhelmed by thousands or
millions of DNS query responses
(one or more for each bot).
Second, the DNS name server is
consumed by bogus requests and
may lack the Compute/Elastic
resources or Bandwidth
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
16
Result of DDoS Attack
This is the result of a very short
lived DDoS attack that our NOC
team was able to handle with very
little effort.
Can you handle this kind of query
volume with your existing
bandwidth If you are currently
supporting DNS on premise?
How well can your ISP- or
registrar-based DNS solution
mitigate this type of attack? Do
they have the bandwidth on a
single provider to absorb these
attacks?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
17
DDoS Mitigation Monitoring
Sometimes the cure is similar to the poison
Union Bank uses Verisign for DDoS mitigation
Verisign failed to propagate Union Bank routes globally so
some of Dyn’s peers still have a route the attacker can use
(noted in red on graph and bolded in trace)
Dyn receives full routing tables from
over 700 IPv4 and v6 networks.
14 69.25.168.65 border5.ae2-bbnet2.phx010.pnap.net
15 69.25.171.146 unionb-9.edge1.phx010.pnap.net
16 204.138.240.49
23:56 UTC
Internap Network Services
Phoenix
United States 172.82
Internap Network Services Corpor Phoenix
United States 173.822
Union Bank of California
Monterey Park United States
182.973
23:59 UTC
12 69.25.168.65 border5.ae2-bbnet2.phx010.pnap.net
Internap Network Services
Phoenix
United States 184.004
13 69.25.171.146 unionb-9.edge1.phx010.pnap.net
Internap Network Services Corpor Phoenix
United States 184.753
14 204.138.240.3
Union Bank of California
Monterey Park United States 191.162
15 204.138.240.110 chns2.unionbank.com
Union Bank of California
Monterey Park United States 189.832
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
18
Recent Routing Issues
Events
● January 20, 2017, TIC announced BGP hijacks for 20
individual IPs associated with Apple’s iTunes service.
● March 2, 2017, Italian provider leaks 51,000 prefixes
impacting Netflix, Cloudflare and others.
● April 10, 2017, Bulgartel of Bulgaria hijacks Chubb
Insurance and others
● April 26, 2017, Rostelecom hijacks 36 prefixes that
included HSBC, Visa, Mastercard and smaller
European banks
● May 2, 2017, Centurylink hijacks address space for
Microsoft Livemeeting which results in traffic
misdirection
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
19
BGP Hijacks
With the passive and
active monitoring of
BGP announcements
and traceroutes we
can identify anomalies
and prove that traffic
is following the
hijacked
announcement.
Traceroute Showing Hijack
209.85.240.212 Google Inc. Moscow Russia 296.789ms
90.154.105.68 broadband-90-154-105-68 moscow.rt.ru PJSC Rostelecom
Moscow Russia
297.116ms
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
20
BGP Hijack Centurylink/Microsoft
With the passive and
active monitoring of
BGP announcements
and traceroutes we
can identify anomalies
and prove that traffic
is following the
hijacked
announcement.
Traceroute Showing Hijack
206.28.101.34 cr1-te-0-3-0-3.sfo.savvis.net
204.70.207.34 er1-te8-0-1.svl.savvis.net
204.70.207.25 hr2-xe-8-3-3.sc4.savvis.net
216.35.14.34
Savvis
Savvis
Savvis
Savvis
San Francisco United States
Chesterfield United States
Chesterfield United States
San Francisco United States
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
21
About Dyn
Copyright©©
2016,
Oracle
and/or
affiliates.AllAll
rightsreserved.
reserved.|
Copyright
2017,
Oracle
and/or
itsits
affiliates.
rights
DNS
Unique
Value Value
Oracle
+ Dyn Unique
Consistently High
Performance
Response Times
Worldwide
DNS propagation
time < 1 minute
Highly
Resilient
Optimized
Transit
Connections at
each POP
Advanced DDoS
Attack Processes
Superior
Geolocation
Accuracy
Extreme Industry
Expertise
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
23
Anycast Network
“Dyn delivers the best DNS
response time worldwide.”
– CloudHarmony
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
24
Anycast Network
Dyn is connected to multiple tier one transit providers throughout the network.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
25
Network Deployment Strategy
Dyn routes DNS traffic uniquely across its Anycast nameservers to a varied mix of highly available ISP’s.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
26
“It’s good to see this
great data being
exposed for operational
purposes. The internet
is so critical for for
almost every business
today.”
Collecting Traceroute and BGP
– Gartner (Jonah Kowall, VP)
Active monitoring of BGP.
•
Real-time global routing table
from over 700 sessions
•
300+ collectors sending
traceroutes to over 1.5 million
targets daily resulting in over
6B measurements per day
•
Updates and alerts 30 seconds
from real time
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
27
DNS Based Load Balancing
A hybrid cloud based approach
Load Balancing @ the DNS TLD/APEX
●
Geolocation Load Balancing
●
Ratio Load Balancing
●
Active Failover
Availability Monitoring
●
Health up/down for endpoints
●
Event logging and
notifications
●
Integration flexibility through
syslog
Intuitive UI and API Functionality
●
Faster response & Failover vs. traditional hardware based devices
Quick and efficient options to
perform
MACD to your Hybrid
environment
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
28
Geo IP Accuracy
DNS recursive servers…
•
Originate 90% of our DNS
traffic
•
We improve geolocation
accuracy by over 20%
compared to other
commercial geolocation
providers
•
There has been a measured
25ms median latency
improvement for requests
involving these corrected IP
addresses
Map of most active recursive DNS locations
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
29
Endpoint Agnostic Routing
Route to Anything:
● Datacenters
● Load balancers
● CDNs
● Cloud Hosting
● Filtration services
● VOIP
Pick and Choose
● Geography
● Round Robin
● Weighted
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
30
Things to Consider
DNS of today is not your father’s DNS
BGP can be monitored and is now used in ways
never seen before
●
DDOS attacks are larger and more complex
than ever before
●
Attackers can use BGP to redirect traffic
through an undesirable location
●
Customer steering to improve experience
does not need to be done by a box in your
data center
●
The root cause of a performance issue can
be identified so your team does not need
to be pulled into emergency
troubleshooting
●
Monitoring and failover can be done while
you are sleeping
●
What Internet Service Providers do with
routing your traffic can be seen and
intelligence decisions can be made around
provider choices
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
31